CVE-2021-39231

CRITICAL9.1EPSS 1.2%

Exposure of sensitive information in Apache Ozone

Published: 11/23/2021Modified: 11/15/2023

Description

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

Affected packages (1)

Maven/org.apache.ozone:ozone-mainfrom 0, < 1.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39231
PATCHhttps://github.com/apache/ozone
WEBhttps://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
WEBhttp://www.openwall.com/lists/oss-security/2021/11/19/2